Updating your system for the z/OSMF started procedures

z/OSMF processing is managed through the z/OSMF server, which runs as a pair of started tasks on your system, IZUANG1 and IZUSVR1. This topic explains how to update your system for the z/OSMF started tasks.

The following setup actions are required:

Verify that the z/OSMF server has sufficient authorization

To ensure that the z/OSMF server can perform as required, verify that the z/OSMF started task user ID has sufficient permissions for your environment. By default, this user ID is IZUSVR, but you might have specified another user ID during the configuration process; see Step 1: Run the security commands for the z/OSMF resources.

By default, both of the z/OSMF started tasks (IZUANG1 and IZUSVR1) run under the started task user ID, IZUSVR. To assign a user identity to the started tasks, you can specify a job name (JOBNAME=) on the START command. Here, the job name is used as part of the SAF resource name that is passed to the your security product. If you omit the JOBNAME= specification, the default member names will be used: IZUANG1 and IZUSVR1. Ensure that the job name is defined in the security profiles for the started tasks. For considerations, see Defining the z/OSMF started procedures to RACF.

Information about starting the started tasks and setting them up to start after every IPL, is provided in Step 3: Start the z/OSMF server.

Add the started procedure names to the AUTOLOG statement

You must ensure that TCP/IP services are available to the z/OSMF server at initialization. To do so, add the z/OSMF started procedure names IZUANG1 and IZUSVR1 to the AUTOLOG statement in your TCP/IP profile (PROFILE.TCPIP).

For information about the AUTOLOG statement, see z/OS V2R1.0 Communications Server: IP Configuration Reference .

Defining the z/OSMF started procedures to RACF

The IZUSEC job contains sample RACF commands for defining the z/OSMF started procedures to the STARTED class. Figure 1 shows the commands that are provided in the job.
Figure 1. RACF commands for defining the started procedures to the STARTED class

//* Define the STARTED profiles for the z/OSMF server                *
RDEFINE STARTED IZUSVR1.* UACC(NONE) STDATA(USER(IZUSVR) +
   GROUP(IZUADMIN) PRIVILEGED(NO) TRUSTED(NO) TRACE(YES))
RDEFINE STARTED IZUANG1.* UACC(NONE) STDATA(USER(IZUSVR) +
   GROUP(IZUADMIN) PRIVILEGED(NO) TRUSTED(NO) TRACE(YES))

You can create more specific profiles to associate the started tasks with particular job names. Doing so allows you to run the started tasks under another user ID, as needed, based on job name. Use this method to control the started tasks behavior, rather than modifying the started procedures directly. Note that any user ID that is used for running the started tasks must have the same security authorizations as the started task user ID. By default, this user ID is IZUSVR.

With the STARTED class, you can modify the security definitions for started procedures dynamically, using the RDEFINE, RALTER, and RLIST commands. For more information, see the topic on using started procedures in z/OS Security Server RACF Security Administrator's Guide.

Parent topic: Configuring z/OSMF for the first time